In 2022, the Securing Government Services team at the Central Digital and Data Office came across an interesting problem with SPF. The team found a small bug with how UK government domains’ administrators managed the Sender Policy Framework or SPF records.
SPF is an email authentication protocol that ensures only emails sent from trusted and authorized IP addresses land in the primary inboxes of desired recipients; all suspicious emails either get marked as spam or bounce back. So, if exampledomain.gov.uk uses Microsoft Outlook to send emails, an official in charge has to create a TXT record in its DNS to specify all IP addresses allowed to send emails on their behalf.
This propagates the information across the internet that if an email is purported to be sent from exampledomain.gov.uk, it should be considered authorized and non-malicious only if it has been sent from the Outlook server from one of the IP addresses enlisted in the SPF record.
This prevents adversaries from impersonating officials and sending out fraudulent emails.
The impact of a DNS attack
Image sourced from catchpoint.com
How was the Problem Discovered?
The security team noticed that an SPF record had no misconfigurations, yet it was being marked as invalid, risking the protection of officials and citizens. The SPF record under observation was this-
<span style="font-weight: 400">"v=spf1 include:example.com include:spfprotectionoutlook.com -all"</span>So, to begin with, the team performed a simple conformance check to see if the record was written in the correct syntax. And yes, it was written correctly.
Next, they evaluated the included domains by performing DNS lookups and found the problem. They discovered that the second domain was spelled incorrectly. So, when they performed a DNS lookup on that domain, it returned an error—NXDOMAIN. This SPF permerror error caused a misinterpretation of the domain’s published SPF record, making it invalid. Earlier, they were under the impression that a partially matching set of ‘includes’ still validates and that the overall SPF record would be valid. However, they realized it wasn’t the case after rereading the specifications.
Resolving the Issue
The problem was resolved by correcting the spelling of the incorrect domain; however, they still don’t know if threat actors exploited it. What they learned from this was that someone should regularly audit domain names in SPF records, as they can be misspelled or expired. Also, it’s good to check using different mail servers as they work on various algorithms and may show other results.
When an SPF record is deemed invalid, it compromises the effectiveness of this security measure, leaving the email domain susceptible to unauthorized use and potential exploitation by malicious actors. An invalid SPF record can result from syntax errors, outdated information, or improper configuration. Maintaining a valid SPF record is essential for ensuring that email recipients can trust the authenticity of messages originating from a particular domain.
A valid SPF record enhances email deliverability, reduces the likelihood of emails being marked as spam, and bolsters overall cybersecurity. Therefore, it is imperative for organizations and domain owners to regularly update and validate their SPF records to uphold the integrity of their email communication and fortify their defenses against phishing attempts and other email-based threats. Reach out to AutoSPF for any inquiries related to SPF Records.
